Preso Title - NCC Group

Cloud Computing Security Raining on the Trendy New Parade Andrew Becherer, Alex Stamos, Nathan Wilcox BlackHat USA 2009

https://www.isecpartners.com

Agenda  Cloud Computing Defined  Software as a Service  Platform as a Service  Infrastructure as a Service

2

Special Thanks  Chris Clark  Alex Vidergar  Scott Stender  Andreas Junestam

3

Cloud Computing “am i the only one who has an urge to punch myself in the neck whenever i hear about 'the cloud'?” - Arshan Dabirsiaghi Commenter at Jeremiah’s Blog

No, Arshan, you are not the only one.

4

Cloud Computing  Term is useless  What is it not?  Virtualization  Remote backup  Most of the stuff called cloud computing

5

Cloud Computing  Generally means:  Lots of general purpose hosts  Central management  Distributed action="{!init}"> Preconditions exclude CSRF token validation Input parameter vuln to CSRF public class myClass { public void init() { Id id = ApexPages.currentPage().getParameters().get('id'); Account obj = [select id, Name FROM Account WHERE id = :id]; delete obj; return ; } }

Ref: http://wiki.developerforce.com/index.php/Apex_and_Visualforce_Security_Tips

36

CSRF Lessons  Deviations from the “ancestor” frameworks lead to

configuration headaches:  AppEngine/Django middleware.  Azure requires new session configuration.

 Force.com trades a better default at the cost of

learning a new language and platform.  Custom handlers tend to inadvertently disable the protection.

37

Cross-site Scripting  We focus on output encoding over input validation.  Requires more developer awareness than CSRF.  Typically devs must consider which parameters to

escape.  The framework solution is not inherently different in

the Cloud environment (as with CSRF).

38

GAE XSS Filtering  AppEngine templates can use Django filters,

including an XSS encoder: escape  This filter encodes for HTML body and non-JS attribute contexts.

GAE Templates: http://code.google.com/appengine/docs/python/gettingstarted/templates.html

39

GAE XSS Filtering…  Example: {% for greeting in greetings %}
Santa says: {{greeting.content|escape}}
{% endfor %}
Today‟s limerick is:

GAE Templates: http://code.google.com/appengine/docs/python/gettingstarted/templates.html

40

Azure XSS Filtering  Azure relies on standard ASP.NET for output encoding:  HttpUtility.HtmlEncode or .InnerText property.  HttpUtility.UrlEncode 

HtmlEncode and .InnerText

are for the HTML body or non-

JS attribute contexts.  Examples:  Welcome1.InnerText = "Hello, " + User.Identity.Name;

 Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));

XSS tutorial: http://msdn.microsoft.com/en-us/library/ms998274.aspx 41

Force.com XSS Filtering  Two UI frameworks:  S-Controls provide UI via JS mechanisms (older design)

 Visualforce provides markup template language

Security Tips: http://wiki.developerforce.com/index.php/Apex_and_Visualforce_Security_Tips

42

Force.com S-Controls  Eschew eval() and string-based callbacks: window.setTimeout(„flingAnimal(„ + evilParam + „)‟)

 Use higher level DOM api and .innerText, not .innerHTML  Server-side expansions must be manually escaped:

{!SUBSTITUTE(SUBSTITUTE($Request.title,””,”>”)}


43

Force.com Visualforce  Tags in the apex: namespace escape text contents, eg:

{!$CurrentPage.parameters.attackedParam}

vuln link


44

XSS Lessons  The PaaS frameworks are status quo compared to

classic frameworks.  Force.com has legacy S-Control, despite fresh start.  Dev’s need to understand language context issues.  Or simpler: Don’t place parameters in JavaScript, ever.

45

Context is Key • There are many unaccounted for contexts:

46

Context is Key • There are many unaccounted for contexts: JS event handler

Escape for wrong context.

47

Context is Key • There are many unaccounted for contexts: JS event handler

Escape for wrong context.

• If the greeting content is: „ + alert(„xss‟) + „

• The expansion becomes: